Presentación en la que participamos junto con Pete Herzog, Director del ISECOM, durante los I Juegos Fractales de la Vila de Gràcia celebrados en el CSOA de Les Naus. En ella se presentan aspectos sobre la nueva versión del OSSTMM (Open Source Security Testing Methodology Manual), liderada por Pete Herzog y en la que colaboran expertos en seguridad de todo el mundo, entre los que se encuentran miembros del equipo técnico de Internet Security Auditors. Además se presentó el proyecto de la Hacker High School de este año, apadrinada por La Salle y en la que colabora Internet Security Auditors en España y Mediaservice desde Italia, además de muchas otras personas que colaboran de forma desinteresada.
Boost PC performance: How more available memory can improve productivity
I spy. The world of info Security from the known to the unknown.
1. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
I Spy
The World of Info Security from the
known to the unknown.
2. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Security
3. Physical
Security
4. Communications
Security
6. Internet Security
5. Wireless Security
1. Process
Security
2. Information
Security
There is no such thing
as security based on
stolen entropy.
The universe is
made of
information which
contains matter
and energy.
Is security a
manifest of
information or is it
about energy?
3. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
OSSTMM
I am a scientist.
I am a researcher.
I am a detective.
I am a scholar.
I am a spy.
I am a watchdog.
I am a hacker.
Data Collection
Competitive
Intelligence
Scouting
Exploit
Research and
Verification
Posture
Review
System
Service
Verification
Privacy
Review
Document
Grinding
Internet
Application
Testing
Routing
Denial of
Service
Testing
Trusted
Systems
Testing
Password
Cracking
Access
Control
Testing
Containment
Measures
Testing
Alert and Log Review
Security
Policy
Review
Verification Testing
Logistics and
Controls
Network
Surveying
Intrusion
Detection
Review
Survivability
Review
Privileged
Service
Testing
4. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Finite Knowledge Limits
What is the most detail, dirt,
and nasty little secret I can
find out by looking at the big
picture?
5. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Business Intelligence
1. Map and measure the directory structure of the web servers
2. Map the measure the directory structure of the FTP servers
3. Examine the WHOIS database for business services relating to registered host names
4. Determine the IT cost of the Internet infrastructure based on OS, Applications, and
Hardware.
5. Determine the cost of support infrastructure based on regional salary requirements for IT
professionals, job postings, number of personnel, published resumes, and responsibilities.
6. Measure the buzz (feedback) of the organization based on newsgroups, web boards, and
industry feedback sites
7. Record the number of products being sold electronically (for download)
8. Record the number of products found in P2P sources, wares sites, available cracks up to
specific versions, and documentation both internal and third party about the products
9. Identify the business partners
10. Identify the customers from organizations to industry sectors
11. Verify the clarity and ease of use of the merchandise purchasing process
12. Verify the clarity and ease of use for merchandise return policy and process
13. Verify that all agreements made over the Internet from digital signature to pressing a button
which signifies acceptance of an end-user agreement can be repudiated immediately
and for up to 7 days.
When I look deep
inside myself, I
see your
weaknesses.
6. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Privacy Review
Policy
1. Identify public privacy policy
2. Identify web-based forms
3. Identify database type and location for storing data
4. Identify data collected by the organization
5. Identify storage location of data
15. Identify fictionalized persons, organizations, institutions with real persons.
16. Identify persons or organizations portrayed in a negative manner.
17. Identify persons, organizations, or materials which as themselves or of a likeness thereof which is used for
commercial reasons as in web sites or advertisements.
18. Identify information about employees persons, organizations, or materials which contain private
information.
While nobody is
watching you, I
see you studying
us.
7. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Invisible Information
Electromagnetic Radiation (EMR) Testing
802.11 Wireless Networks testing
Bluetooth Networks Testing
Wireless Input Device Testing
Wireless Handheld Testing
Cordless Communications Testing
Wireless Surveillance Device Testing
Wireless Transaction Device Testing
RFID Testing
Infrared Testing
8. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Info Security for the Future
Electromagnetic and High Frequency Firewalls
• Invisible fences work for dogs and cats and not they work for
information!
All Frequency Intrusion Detection
• Am I being bugged?
• Is that your satellite relay coming through my home?
Smart Electromagnetic Containment Measure Materials
• Your radio waves are being monitored for my health.
9. Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Processing the Masses
Standards and Methodologies
• Do it right the first time.
Practical Security Conferences for Professionals
• Spit out the bad practices
• Suck in the good ones
Hacker Highschool for Teens
• From asocial to watchdog in just a few weeks!